Packet Encryption

TACACS+ encrypts the entire data payload of the packet, leaving only the standard TACACS+ header in cleartext. While it’s possible for debugging purposes to leave the body of the packets unencrypted, normal operation will fully encrypt the body for more secure communications. A field in the header indicates whether the body is encrypted.

• TACACS+ supports two methods for controlling the authorization of router commands on either a per-user or per-group basis.

• Assign commands to privilege levels and have the router use TACACS+ to verify that the user is authorized at the specified privilege level.

Explicitly define on the TACACS+ server the commands allowed on a per-user or per-group basis.